How the Proxy Network Operated
Google’s Threat Intelligence Group (GTIG) has significantly disrupted NetNut, a massive residential proxy network that turned home devices into rented relays for cybercriminal traffic. Working with the FBI, Lumen, and other partners, Google reduced the network’s pool of usable devices by millions. GTIG estimates NetNut, also tracked as Popa, controlled at least 2 million devices worldwide, including smart TVs and streaming boxes. Attackers paid to route their traffic through these home internet connections, making their activities appear as ordinary home browsing rather than datacenter traffic that security tools typically block.
The network grew by embedding its code on devices in two ways: some cheap off-brand hardware shipped with it pre-installed, while other devices acquired it through free apps that concealed the proxy functionality. Once activated, each device became an exit node, funneling outside traffic through the home network and giving attackers a foothold to reach other devices on the same network. In a single week in June, GTIG identified 316 distinct threat clusters using suspected NetNut exit nodes, including cybercriminal and espionage groups conducting password-guessing attacks.
The Company and the Takedown Challenge
Unlike most proxy botnets, NetNut traces back to a publicly traded company. Researchers at Qurium, Synthient, Nokia Deepfield, and Spur linked Popa to NetNut, which is owned by Israeli company Alarum Technologies (NASDAQ: ALAR). Synthient demonstrated that traffic sent into NetNut’s commercial gateway emerged through a device enrolled in Popa. Alarum rejects the botnet label, stating its software is for consented bandwidth sharing and does not compromise devices. However, Synthient reported that none of the more than 20 apps it examined showed users a consent prompt.
Google describes this as a degradation rather than a complete takedown, because NetNut operates a reseller program that allows other companies to sell its network under their own brand names. Many seemingly independent proxy brands are actually reselling the same NetNut pool, so a single disruption affects multiple brands simultaneously. Google notes that previous actions against similar networks, such as IPIDEA, showed these networks can appear resilient by simply buying capacity from rivals. Lasting damage requires targeting several connected providers at once. Consumers should watch for apps offering payment for unused bandwidth or internet sharing, stick to official app stores, check permissions carefully, and buy streaming hardware from known manufacturers rather than no-name brands.
Source: The Hacker News
